By law, the hipaa privacy rule only applies to covered institutions – health plans, health care compensation rooms and some health care providers. However, most health care providers and health plans do not perform all of their health activities and functions themselves. Instead, they often use the services of many other individuals or businesses. The data protection rule allows providers and covered health plans to transmit protected health information to these “counterparties” when providers or plans receive satisfactory assurances that the counterparty uses the information only for the purposes for which it was mandated by the covered entity, which protects the information from abuse and helps the added entity fulfill some of the obligations of the entity covered under the data protection rule. Covered companies may disclose protected health information to a company in its role as a business partner only to assist the insured company in fulfilling its health missions – not for independent use or for the purposes of counterparty, unless it is necessary for the proper management and management of the counterparty. HIPAA requires insured entities to cooperate only with trading partners that guarantee full protection of the PHI. These assurances must take the form of a contract or other agreement between the insured company and the disclosures of 2.3 ba.1 that are required by law. If Business Associates considers this to be a legal obligation to disclose the PHI, it will inform the customer as soon as it becomes aware of such an obligation and, in any event, at least ten (10) working days before the proposed publication, on the legal requirements that it believes that protected health information should be released. If the client objects to the disclosure of such protected health information, Business Associate allows the client to exercise all legal rights or remedies that the Client may have to object to the disclosure of protected health information, and Business Associate undertakes to provide the customer with this assistance at the customer`s expense, as the customer may reasonably require.
If the customer does not respond, the business partner is entitled to disclose protected health information, as he deems reasonably necessary to comply with the law. In the event that PHI is accessed under the responsibility of the counterparty by persons who are not authorized to post the information, the counterparty is required to notify the entity concerned of the violation and may be required to send notifications to persons whose PHI has been compromised. The timing and reporting responsibilities should be detailed in the agreement. While it may seem reasonable to have a short window of opportunity to report an offence, remember that BA may not be aware of the injury until a few days later. [ii] U.S. Department of Health – Human Services (HHS.gov, Health Information Privacy). Available under www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ccdh/index.html There are a few exceptions to the requirement to sign a matching agreement. These include specialists to whom a hospital refers a patient and transmits the patient`s medical card for treatment, laboratories to which a physician discloses a patient`s PPH for treatment, and the disclosure of PHI to a health plan sponsor, such as an employer, through a collective health plan.